我一直试图将电话挂钩到' recv'来自Chrome和Firefox使用EasyHook。但是,这不起作用 - 它不会因任何错误而失败,但也不会捕获任何数据包。我尝试过使用' CreateFile'挂钩,这非常好...... 由于没有关于此的文档,我无法修复此问题。这是我的代码:
// the injected library
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using EasyHook;
using System.Runtime.InteropServices;
using System.Threading;
using System.Windows.Forms;
namespace SocketMon
{
public class Injection : EasyHook.IEntryPoint
{
SocketMonInterface Interface;
LocalHook CreateFileHook;
Stack<String> Queue = new Stack<String>();
public Injection(RemoteHooking.IContext InContext, String InChannelName)
{
// connect to host...
Interface =
RemoteHooking.IpcConnectClient<SocketMonInterface>(InChannelName);
// validate connection...
Interface.Ping();
}
public void Run(RemoteHooking.IContext InContext, String InChannelName)
{
// install hook...
try
{
CreateFileHook = LocalHook.Create(
LocalHook.GetProcAddress("Ws2_32.dll", "recv"),
new Drecv(recv_Hooked),
this);
CreateFileHook.ThreadACL.SetInclusiveACL(new Int32[] { 0 });
}
catch (Exception ExtInfo)
{
Interface.ReportException(ExtInfo);
return;
}
Interface.IsInstalled(RemoteHooking.GetCurrentProcessId());
// wait for host process termination...
try
{
while (true)
{
Thread.Sleep(500);
if (Queue.Count > 0)
{
String[] Package = null;
MessageBox.Show(Queue.Count.ToString());
lock (Queue)
{
Package = Queue.ToArray();
Queue.Clear();
}
Interface.OnRecvData(RemoteHooking.GetCurrentProcessId(), Package);
}
else
Interface.Ping();
}
}
catch
{
// NET Remoting will raise an exception if host is unreachable
}
}
[UnmanagedFunctionPointer(CallingConvention.StdCall,
CharSet = CharSet.Unicode,
SetLastError = true)]
delegate int Drecv(
IntPtr socketHandle,
IntPtr buf,
int count,
int socketFlags
);
// just use a P-Invoke implementation to get native API access
// from C# (this step is not necessary for C++.NET)
[DllImport("Ws2_32.dll")]
static extern int recv(
IntPtr socketHandle,
IntPtr buf,
int count,
int socketFlags
);
public int recv_Hooked(
IntPtr socketHandle,
IntPtr buf,
int count,
int socketFlags
)
{
int len = recv(socketHandle, buf, count, socketFlags);
Queue.Push(String.Format("Received {0} bytes of data on socket {1}", socketHandle, count));
return len;
}
}
}
*
//the ipc interface
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
namespace SocketMon
{
public class SocketMonInterface : MarshalByRefObject
{
public void IsInstalled(Int32 InClientPID)
{
Console.WriteLine("SocketMon has been installed in target {0}.\r\n", InClientPID);
}
public void OnRecvData(Int32 InClientPID, String[] InSocketData)
{
for (int i = 0; i < InSocketData.Length; i++)
{
Console.WriteLine(InSocketData[i]);
}
}
public void ReportException(Exception InInfo)
{
Console.WriteLine("The target process has reported" +
" an error:\r\n" + InInfo.ToString());
}
public void Ping()
{
Console.WriteLine("Got pinged");
}
}
}
我已经尝试将SetExclusiveACL更改为SetInclusiveACL,但这没有帮助......
答案 0 :(得分:3)
我意识到我的代码实际上正在运行......
使用P / Invoke手动调用'recv'工作......
问题是Chrome和Firefox没有使用'recv' - 当我使用SpyStudio挂钩时,他们实际上在'wininet.dll'中调用了其他方法,而不是使用winsocks